Commission Implementing Regulation (EU) 2024/2690 of 17 October 2024 laying down ... (32024R2690)
INHALT
Commission Implementing Regulation (EU) 2024/2690 of 17 October 2024 laying down rules for the application of Directive (EU) 2022/2555 as regards technical and methodological requirements of cybersecurity risk-management measures and further specification of the cases in which an incident is considered to be significant with regard to DNS service providers, TLD name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, providers of online market places, of online search engines and of social networking services platforms, and trust service providers
- COMMISSION IMPLEMENTING REGULATION (EU) 2024/2690
- of 17 October 2024
- laying down rules for the application of Directive (EU) 2022/2555 as regards technical and methodological requirements of cybersecurity risk-management measures and further specification of the cases in which an incident is considered to be significant with regard to DNS service providers, TLD name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, providers of online market places, of online search engines and of social networking services platforms, and trust service providers
- (Text with EEA relevance)
- Article 1
- Subject matter
- Article 2
- Technical and methodological requirements
- Article 3
- Significant incidents
- Article 4
- Recurring incidents
- Article 5
- Significant incidents with regard to DNS service providers
- Article 6
- Significant incidents with regard to TLD name registries
- Article 7
- Significant incidents with regard to cloud computing service providers
- Article 8
- Significant incidents with regard to data centre service providers
- Article 9
- Significant incidents with regard to content delivery network providers
- Article 10
- Significant incidents with regard to managed service providers and managed security service providers
- Article 11
- Significant incidents with regard to providers of online marketplaces
- Article 12
- Significant incidents with regard to providers of online search engines
- Article 13
- Significant incidents with regard to providers of social networking services platforms
- Article 14
- Significant incidents with regard to trust service providers
- Article 15
- Repeal
- Article 16
- Entry into force and application
- ANNEX
- Technical and methodological requirements referred to in Article 2 of this Regulation
- 1.
- Policy on the security of network and information systems (Article 21(2), point (a) of Directive (EU) 2022/2555)
- 1.1.
- Policy on the security of network and information systems
- 1.2.
- Roles, responsibilities and authorities
- 2.
- Risk management policy (Article 21(2), point (a) of Directive (EU) 2022/2555)
- 2.1.
- Risk management framework
- 2.2.
- Compliance monitoring
- 2.3.
- Independent review of information and network security
- 3.
- Incident handling (Article 21(2), point (b), of Directive (EU) 2022/2555)
- 3.1.
- Incident handling policy
- 3.2.
- Monitoring and logging
- 3.3.
- Event reporting
- 3.4.
- Event assessment and classification
- 3.5.
- Incident response
- 3.6.
- Post-incident reviews
- 4.
- Business continuity and crisis management (Article 21(2), point (c), of Directive (EU) 2022/2555)
- 4.1.
- Business continuity and disaster recovery plan
- 4.2.
- Backup and redundancy management
- 4.3.
- Crisis management
- 5.
- Supply chain security (Article 21(2), point (d), of Directive (EU) 2022/2555)
- 5.1.
- Supply chain security policy
- 5.2.
- Directory of suppliers and service providers
- 6.
- Security in network and information systems acquisition, development and maintenance (Article 21(2), point (e), of Directive (EU) 2022/2555)
- 6.1.
- Security in acquisition of ICT services or ICT products
- 6.2.
- Secure development life cycle
- 6.3.
- Configuration management
- 6.4.
- Change management, repairs and maintenance
- 6.5.
- Security testing
- 6.6.
- Security patch management
- 6.7.
- Network security
- 6.8.
- Network segmentation
- 6.9.
- Protection against malicious and unauthorised software
- 6.10.
- Vulnerability handling and disclosure
- 7.
- Policies and procedures to assess the effectiveness of cybersecurity risk-management measures (Article 21(2), point (f), of Directive (EU) 2022/2555)
- 8.
- Basic cyber hygiene practices and security training (Article 21(2), point (g), of Directive (EU) 2022/2555)
- 8.1.
- Awareness raising and basic cyber hygiene practices
- 8.2.
- Security training
- 9.
- Cryptography (Article 21(2), point (h), of Directive (EU) 2022/2555)
- 10.
- Human resources security (Article 21(2), point (i), of Directive (EU) 2022/2555)
- 10.1.
- Human resources security
- 10.2.
- Verification of background
- 10.3.
- Termination or change of employment procedures
- 10.4.
- Disciplinary process
- 11.
- Access control (Article 21(2), points (i) and (j), of Directive (EU) 2022/2555)
- 11.1.
- Access control policy
- 11.2.
- Management of access rights
- 11.3.
- Privileged accounts and system administration accounts
- 11.4.
- Administration systems
- 11.5.
- Identification
- 11.6.
- Authentication
- 11.7.
- Multi-factor authentication
- 12.
- Asset management (Article 21(2), point (i), of Directive (EU) 2022/2555)
- 12.1.
- Asset classification
- 12.2.
- Handling of assets
- 12.3.
- Removable media policy
- 12.4.
- Asset inventory
- 12.5.
- Deposit, return or deletion of assets upon termination of employment
- 13.
- Environmental and physical security (Article 21(2), points (c), (e) and (i) of Directive (EU) 2022/2555)
- 13.1.
- Supporting utilities
- 13.2.
- Protection against physical and environmental threats
- 13.3.
- Perimeter and physical access control
Feedback